pretty sure adding the extra groupby bits or not doing it doesn't seem to make a difference to it not aggergating alerts into incidents for us. (well, if you don't include the groupByField , don't include the normalize bit. hope that makes sense)

inspect the attached the short version is the interesting ESA raw alert data is (I think the Meta we check is originalAlert, but could be wrong, or is it alert? IM translates originalAlert->Alert with groupby_extra_meta_fields I take it?)

alert.events:threat_desc,threat_category,

add the custom meta keys mimicing the alias host/domain meta into

vi /opt/rsa/im/fields/alert_rules.json

add extra array meta unroll group by helper bits into

vi /opt/rsa/im/scripts/normalize/normalize_alerts.js

restart Im, save the alert definition. Retrigger alert

heh, any help would be greatly appreciated. our local support basically gave up on it being not properly documented (probably not a bad point and it'll break again after an upgrade)